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(57) ABSTRACT 

The system and method to protect integrity of a data set 
during post-processing operations. In general, integrity is 
protected by operations performed by a manipulation agent 
including a processor connected to dedicated memory. The 
operations of the manipulation agent include at least pro- 
viding a data set and recording characteristics of each 
post-processing operation into the data set. The data set 
includes data and a record. The record includes a number of 
entries (fields) to contain the various characteristics of a 
post-processing operation such as an incoming hash value of 
the data, an extended digital signature, and the like. 
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SYSTEM AND METHOD FOR ENSURING FIG. 9 is a flowchart illustrating those procedural steps 

INTEGRITY THROUGHOUT POST* undertaken in preserving integrity of generalized data. 

PROCESSING FIG. 10 is a flowchart illustrating an embodiment of a 

validation scheme. 

BACKGROUND OF THE INVENTION 5 FIG. 11 is a block diagram illustrating one feature of the 

1 f?* id f th t t* validation scheme of FIG. 10 used to determine whether any 

1. Mem 01 tne invention midt modifications were performed in post-processing by 
The present invention relates to the field of data security. analyzing the data stream. 

More particularly, the present invention relates to a system DPSPRTPTTOM OF THE PREFERRED 

and method of preserving integrity of a data set undergoing 10 u ^ 

post-processing operations. EMBODIMENT 

2. Description of Art Related to the Invention The present invention relates to a system and method 
Over the last few years, there have been many advances desi S ned to P reseive th , e inte ^ of Ration undergoing 

in hardware and software designed for implementation P^t-pmcessing operations. The system includes one or 

. , . . . j . . 1 . 1 ■ ., • _ more electronic devices capable of performing operations 

within an electronic capture device in order to digitize 15 collectivel rotect data inte rit durin ost 

sensory data (e.g., a visible image and/or an audible sound). a c0 . ec iY e ^ P r ° j C . ?. 3 ^VF'I unng pos - 

c 1 e » i * - ♦ a - » • 1 a a- 1 processing. The method is directed to these operations, 

Examples of an "electronic capture device include a digital v „ 6 . , ... t . . , . , , ™. 

camera, a digital video recorder, or a digital scanner. After re 8 ardl , ess ' of ' he 1 " US ?, f ,m P lemenlatl °"- ™ ,s 

being digitized, the sensory data may be immediately down- 15 *" e t0 ,he . fact that k ,he Pff^rvation of a data set during 

loaded to a computer for storage on a hard disk drive. 20 pos -processmg may be practiced by a number of hardware 

Alternatively, the data may be internally stored within the 'mP^rnentaUons besides those explicitly mentioned herein, 

electronic capture device to be downloaded at a later time. In following description, some terminology is used to 

. generally describe certain features or characteristics of the 

During storage or transmission the digitized data is , invention For x an .. electronic system » may 

susceptible to illicit modification. Currently, digital signa- jndude a tef ( a d g 

tures can be used to protect data integrity by enuring that » mainfr etc ) or a other equipment having digita i 

the digitized data cannot be illicitly modified without de.ee- si capability including an electronic capture device 

Uon. Unfortunately, there * no scheme utilized by conven- $uch ^ a c ^ iul camcord di Ual scanner 

tional electronic capture devices that supports raodiflcation and , he ]ike _ « InfonnttiDn - 

is generally defined as one or 

of digitally-signed data without rendering its corresponding ^ more bUs of (i) ^ aQd/of controL A « data 

digital signature invalid. set „ ^ generally defined as digitized information including 

SUMMARY OF THE INVENTION a recorc * an ^ data. The "data" includes, but is not limited or 

restricted to sensory data (e.g., a digitized visible image, 

The present invention relates to a system and method for digitized audible sound, etc.) and/or non-sensory data (e.g., 

preserving data integrity. First, a data set is provided. The 35 a digital document). The "record" includes information used 

data set includes data and a record. Thereafter, characteris- f or verification (e.g., authentication or identification) of the 

tics of post-processing operations associated with that data data set and possibly its sender. An illustrative embodiment 

set are recorded into the record of the data set. In one 0 f the record is described below. "Integrity" is generally 

embodiment, the contents of the records are used to verify defined as a state where information has not been modified 

whether the data has been compromised through unautho- ^ m an unauthorized manner, 

rized post-processing operations. Additional terminology includes a "key" which is an 

BRIEF DESCRIPTION OF THE DRAWINGS encoding a L nd/or decoding P a ' ameter used h V. conventional 

cryptographic techniques such as a symmetric key crypto- 

The features and advantages of the present invention will graphic function (e.g., a Data Encryption Algorithm as 

become apparent from the following detailed description of 45 specified in Data Encryption Standard) or a public-key 

the present invention in which: cryptographic function (PKC) such as a Rivest, Shamir and 

FIG. 1 is a block diagram illustrating the creation of a Adleman (RSA) function. A" hash function" is an operation 

digital signature through cryptographic operations. of converting incoming information of any arbitrary length 

FIG. 2 is a block diagram illustrating a first embodiment into a hash value of a fixed size * Examples of hash functions 
of an electronic system that ensures data integrity through- 50 may include, but are not limited or restricted to the follow- 
out post-processing. m 6 : Message Digest 5 (MD5) provided by RSA Data 

FIGS. 3A and 3B are block diagrams illustrating embodi- S ^ curi ^ * td ™?* A ^^V 0 ' * C ™ 

c ■ 1 t * • i * • i » j Algorithm (SHA-1) specified by the National Institute of 

ments of a manipulation processing element implemented 0i & , , v , _ / \ r • r . . 4 ~ „ 

within the electronic system of FIG 2. S,andards and Tech °°'°gy ° f Washington, D.C. 

FIG. 4 is a perspective view of a second embodiment of 55 '| is , <™t™P^d that digital signatures may be used to 

iL . t . r \ . i protect the integrity of a data set by providing a reliable 

the electronic system ensuring data integrity throughout r . * i_ i i_ iL lL J \ : • 4 . 

J to b J to mechanism to check whether the data set has not been 

pos -processing. ^ illicitly modified (referred to as "compromised") after being 

FIG 5 is a perspective view of a processing unit of FIG. digital]y signed H ^ a <((ligital signature » ^ generall 

4 including the manipulation processing element. 6Q defmed as a transformation> normaUy a pub lic-key 

FIG. 6 is a perspective view of a top side of a processor cryptographic function by encrypting information with a 

substrate of the processing unit of FIG. 5. p rivate key of the signatory. For digital signatures, this 

FIG. 7 is a block diagram illustrating a third embodiment information may include data content of the data set in its 
of an electronic system that ensures data integrity through- entirety, or a hash value of that data set after being trans- 
out post -processing. 65 ferred through a one-way hash function. 

FIGS. 8A-8D are block diagrams illustrating the data set For example, as shown in FIG. 1, if digital signature 10 

including data and a record. contains information (e.g., a hash value 15) encrypted with 
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a private key (PRKS) 20 associated with a first electronic ment 135 may be connected to the host bus 120 or peripheral 

system (provider) 25, one can accurately determine whether bus 130 in lieu of bus 145. 

the information has been compromised. This may be accom- The peripheral bus 130 provides a communication path 

plished by a second electronic system (recipient) 35 trans- between a plurality of peripheral devices 140 a -140 OT ("m" 

lating original data set 30, concurrently provided with digital $ being a positive whole number). The peripheral bus 130 may 

signature 10, into a new hash value 40 by a one-way hash be a Peripheral Component Interconnect (PCI) bus, Industry 

function identical to the hash function used by first elec- Standard Architecture (ISA) bus or any other type of bus 

tronic system 25 to generate hash value 15. Next, the second architecture. It is contemplated that peripheral bus 130 is 

electronic system 35 decrypts digital signature 10 with a shown as a single bus, but it may be multiple buses con- 

pre-stored or loaded public key (PUKS) 21 of first electronic 3Q nected together through bridge circuitry in which each 

system 25 to recover hash value 15. After recovering hash peripheral device 140j-140 m is connected to at least one of 

value 15, a comparison is performed between new hash the multiple buses. Additionally, peripheral devices 

value 40 with recovered hash value 15. If there is a match, 140 3 -140 m may include, but are not limited or restricted to 

the original data set 30 has not been compromised. a mass storage device 140 a (e.g., a hard disk drive, a 

For authentication, digital signature 10 may be accompa- 15 compact disc-read only memory "CD-ROM" player, CD 

nied by an optional (represented by dashed lines) digital recordable player, digital tape drive, a floppy disk drive, a 

certificate chain 45 including at least one digital certificate. digital v » deo disk P la y er > etc -)> a transceiver device 140 m 

The "digital certificate" is generally defined as any infor- ( e -g-> a network interface circuit "NIC card, a modem, etc.) 

raation pertaining to the provider, typically its public key 21, and me 

encrypted with a private key (PRKTA) by a certification 20 Referring to FIGS. 3A and 3B, illustrative embodiments 
authority 50. Normally, a "certification authority" 50 is any of manipulation processing element 135 of FIG. 2 is shown, 
person or entity in a position of trust to guarantee or sponsor Connected to a bus when placed in an electronic system 
digital certificate chain, including but not limited or (e.g., bus 145), manipulation processing element 135 corn- 
restricted to a bank, governmental entity, trade association, prises an integrated circuit (IC) device 200 contained within 
a manufacturer, and the like. The public key (PUKTA) of the 25 a package 205. The package 205 protects IC device 200 from 
certification authority 50 may be widely available and damage and harmful contaminants. It is contemplated that 
loaded or stored within second electronic system 35. The IC device 200 may include a single IC chip or multiple IC 
"digital certificate chain" 45 is a hierarchy of digital certifi- chips in communication with each other, 
cates upon which information from one certificate may be As shown in FIG. 3A, IC device 200 comprises a pro- 
used to obtain information of another certificate. 30 cessing unit 210, a memory unit 215, and an optional 

Of course, once data set 30 has been digitally "signed", random number generator 220, all of which may be inter- 
modification of data set 30, whether for illicit or legitimate connected through an internal bus 225. IC device 200 
reasons, will invalidate digital signature 10. As a result, this supports post-processing operations and cryptographic 
technique of using digital signatures to protect the integrity operations such as, for example, encryption and/or 
of information is quite limited. The reason is that digital 35 decryption, creation of a digital signature, performance of a 
signatures fail to account for any legitimate post-processing hash function and generation of keys (e.g., by random 
without an appearance that the information has been com- number generator 220 if implemented), 
promised. "Post-processing" involves the performance of In this embodiment, processing unit 210 performs corn- 
operations on information after the information has been putations on the data set internally within a secure environ- 
digitally signed. For example, certain compression/ 40 ment (i.e., an environment with minimal vulnerability to a 
decompression techniques performed on original data set 30 physical or algorithmic attack). These computations involve 
(e.g., using "lossy compression") would inevitably result in post-processing operations including, but not limited or 
a decompressed, resultant data set that does not exactly restricted to cropping, feature enhancement, recolorization, 
match the original data set. Thus, if applied to the data set compression and/or decompression, resolution reduction, 
before such compression, digital signature 10 would be 45 frame deletion interpolative resolution enhancement, rota- 
invalidated. This precludes any certainty that the resultant tion as well as font changes, background color modification, 
data set has not been compromised. scaling, ordering, spell-checking, repagination and the like. 

To overcome this disadvantage, a system and method of Memory unit 215 may include a non- volatile memory 
the present invention is developed in order to allow general element 216 which is capable of storing a device unique, 
post-processing of digital data while still maintaining a 50 public/private key pair to support public-key cryptography, 
chain of integrity. This system and method would be valu- at least one digital certificate, software to support post- 
able to a number of industries such as Internet Service processing operations and an optional identification number 
Providers, content distribution industry, the banking uniquely assigned to manipulation processing element 135. 
industry, insurance industry, real-estate industry, and the This non-volatile memory 216 is used primarily because it 
like. 55 retains its contents when supply power is discontinued. In 

Referring now to FIG. 2, a first embodiment of an addition, memory unit 215 may include random access 

electronic system 100 employing the present invention is memory (RAM) 217 in order to temporarily contain certain 

shown. In this embodiment, electronic system 100 com- results from processing unit 210. 

prises a host processor 105, a main memory element 110 As shown in FIG. 3B, IC device 200 comprises a logic 

(e.g., any non-volatile or volatile memory such as dynamic 60 unit 250 and a memory unit 260. Logic unit 250 includes 

random access memory "DRAM" or static random access logic circuitry such as processing unit 210 and optional 

memory "SRAM") and a manipulation processing element random number generator 220 described above. Memory 

135 connected together by a chipset 115. The chipset 115 unit 260 includes at least non-volatile memory (e.g., flash 

establishes comrnunicatiou paths between a plurality of memory) for internal storage within package 205. These 

buses, namely a host bus 120, a memory bus 125, a 65 units 250 and 260 are connected together by a bus 270 which 

peripheral bus 130 and a dedicated bus 145. It is enables information to be exchanged one or more bits at a 

contemplated, however, that manipulation processing ele- time. 



04/29/2004, EAST Version: 1.4.1 



US 6,357,004 Bl 

5 6 

Referring back to FIG. 2, although manipulation process- cessor 500 is a single microprocessor but may include one 
ing element 135 is implemented as a co-processor, it is or more microprocessors. The memory 510 may include, but 
contemplated that a variety of different implementations is not limited or restricted to non -volatile memory such as 
could be selected. For example, manipulation processing read only memory (ROM), erasable programmable read 
element 135 may be implemented within a disk controller, 5 only memory (EPROM), flash memory and the like, 
on a Personal Computer Memory Card International Asso- Referring now to FIG. 7, a third embodiment of an 
ciation (PCMCIA) or "smart" card, or within a cartridge-like electronic system 600 employing the present invention is 
package including host processor 105 as described in FIGS. shown. Similar to the electronic system 100 of FIG. 2, this 
<M>. Other alternative implementations may include incor- electronic system 600 comprises a host processor 605 and a 
porating the functionality of manipulation processing ele- 10 main memory element 610 (e.g., DRAM, SRAM, etc.) 
ment 135 into a chipset and/or within host processor 105 as connected together by a chipset 615. Chipset 615 is con- 
shown for illustrative purposes as FIG. 7. nected to a bus 620. 

Furthermore, even though manipulation processing ele- The host processor 605 includes the functionality of the 

ment 135 appears to be described in connection with a PC manipulation processing element with an ability to perform 

platform, it is contemplated that it could be implemented 15 post-processing operations on a data set. With respect to the 

within any electronic system including peripherals such as a host processor implementation, this may be accomplished 

fax machine, printer, plotter and other peripherals or even on t> y constructing host processor 605 as a multi-chip module 

a communication path between a computer and an I/O operating in combination with the die (or dice) forming the 

peripheral device. manipulation processing element or as a single-chip host 

Referring to FIG. 4, a second embodiment of an electronic 20 processor having the functionality in the form of protected 

system 300 implemented with the present invention is execution capability. 

shown. The electronic system 300 (e.g., a computer) it is contemplated that secure post-processing operations 

includes a system substrate 310, outlined by dashed lines, may be supported by either dedicated circuitry such as 

which controls the overall functionality of electronic system manipulation processing element (FIGS. 3 A, 3B, 4, 5 and 6) 

300, Normally formed with any type of material or materials 25 or non-dedicated circuitry (e.g., chipset, peripheral device or 

upon which integrated circuit components can be attached, host processor described in FIG. 7). Thus, for clarity sake, 

system substrate 310 includes a connector 320 which a "manipulation agent" is defined as any circuitry supporting 

enables communications between logic placed on system post-processing operations including both dedicated and 

substrate 310 and a processing unit 330 connected to the non-dedicated circuitry. 

connector 320. Any style for connector 320 may be used, 30 Referring to pjGS. 8A-8D, post-processing operations by 

including a standard female edge connector or a pin field one or more mampu i a tion agents is shown. In FIG. 8A, an 

connector. original data set 700 is provided to a first manipulation agent 

Referring now to FIG. 5, processing unit 330 includes a 705. As shown in FIG. 8B, the data set 700 includes a record 

processor substrate 400 formed from any type of material 35 740 and data 760. In this embodiment, "data" 760 includes 

upon which integrated circuitry (not shown) can be attached either sensory data or non-sensory data. The "record" 740 

through well-known techniques (e.g., solder connection, contains information that can be used to determine whether 

etc.). The processor substrate 400 is substantially covered by modifications to data set 700 were in accordance to a 

a rectangular-shaped package 410 in order to protect its predetermined set of authorized operations or otherwise 

integrated circuitry from damage or harmful contaminants. 4Q acceptable. 

The processor substrate 400 includes a connector 420, Referring back to FIG. 8A, after performing post- 
preferably adapted to establish a mechanical and electrical processing operations on data of an incoming data set (e.g., 
connection with connector 320 of FIG. 4. As shown, con- original data set 700), a new, modified data set 710 is created 
nector 420 includes any type of connector which mates with by first manipulation agent 705. The modified data set 710 
connector 320. In this embodiment, connector 420 includes 45 features an updated (or augmented) record which includes 
a standard male edge connector. information relating to the post-processing operations and a 

Referring to FIG. 6, an illustrative embodiment of pro- digital signature over the data set after these post-processing 

cessor substrate 400 are shown. The integrated circuitry of operations. As shown in FIG. 8C, record 740 may include a 

processor substrate 400 include, but is not limited or number of entries (fields) 745^745^, ("n" being a positive 

restricted to at least one processor 500, memory 510 and a 50 whole number; n^2 in this embodiment). Each of the entries 

manipulation processing element 520. For communication 745 1 -745„ has been created by either the original provider 

with processor 500, manipulation processing element 520 of data set 700 or by a previous manipulation agent, 

may be connected to a backside bus (typically also connect- Typically, the first entry 745 a will simply include the digital 

ing to memory element 510), to a front-side bus (typically signature applied by the provider of the original data set 700. 

also connecting to external connector 420 of FIG. 5), or on 55 As the data set is modified by more manipulation agents 715 

a dedicating internal bus. Of course, the placement of this and 725 (see FIG. 8A), the entries for each of these updated 

logic (manipulation processing element) is arbitrary so long data sets are added to the record 740. 

as the latency is acceptable and its intended operations are As shown in FIG. 8D, after post-processing activities are 

fully supported. Although not shown, discrete components completed, a new entry (e.g., n 1 * entry 745„) is created 

(e.g., capacitors, oscillators, resistors, inductors, etc.) are 60 having data fields to contain characteristics associated with 

attached to processor substrate 400 in a selected manner to, post-processing operation(s). The entry 745„, like all entries, 

among other things, maximize routability and decrease would include (i) a hash value 750, computed from the 

length of communication lines between integrated circuitry. incoming data, (ii) an optional Manipulation Agent Type 

As further shown in FIG. 6, the manipulation processing (MA_JTYPE) 750 2 , (iii) an optional Manipulation Process 

element 520 may be alternatively configured as a combina- 65 Identifier (MP_ID) 750 3 , (iv) at least one Manipulation 

tion of logic which is placed on processor substrate 400 and Operation Specifier (MOS) value 750 4 , (v) an optional 

collectively performs post-processing operations. The pro- outgoing hash value 750 5 computed over the outgoing 
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(post-processed) data, (vi) an extended digital signature in the current entry, which records the post-processing 

75 0 6 applied to the preceding fields of the entry, and (vii) operations performed after receiving the incoming data set 

one or more optional certificates (certificate chain) 750 7 (Block 820). It is required that the design of the manipula- 

The incoming hash value 750 x is used to verify the data lion agent enforces a strict policy of indicating all post- 
received by the manipulation agent has not been compro- 5 processing operations of the data in the created entry, 
mised. MA_TYPE 750 2 establishes which manipulation Upon completing every desired post-processing operation 
agent performed post-processing operations on the data. (Block 825), the current entry is completed with information 
Note that this information may also be obtained from the so as to include at least the following: (i) the incoming hash 
optional certificate^) 750 7 (if provided). Additionally, the value; (ii) outgoing hash value; (iii) the MOS values asso- 
MP_ID 750 3 specifies which specific configuration (e.g. 10 ciated with the post-processing operations; (iv) the extended 
software) of the manipulation agent has been used to per- digital signature; and (v) optionally MA^TYPE, MP _JD 
form the post-processing operations. and/or digital certificates (Block 830). After the entry has 

MOS value(s) 750 4 specifies what operation(s) was been completed, the record of the new data set is updated by 

(were) performed on the data. For example, one MOS value appending another entry to the existing record (Block 835). 

might indicate ''background color changed to blue", while 15 Referring to FIGS. 10 and 11, an illustrative flowchart of 

another might indicate "font style changed to 8-point operational steps used to ensure that data produced by an 

Times", while yet another might indicate "image scaled by electronic system has not been compromised. The ordering 

132%". The outgoing hash value 750 5 provides sufficient of these operational steps may vary from the embodiment 

information for verification of the post-processed data pro- described below. One operational step is to verify that the 

duced by the manipulation agent by performing a hash 20 outstanding post-processing operations are performed by 

operation of the data. The extended digital signature 750 6 is authorized manipulation agent(s) as configured by their 

produced by hashing the data after post-processing opera- manipulation process(es) (Block 905). For example, such 

tions were completed, referred to as an "outgoing hash verification may be accomplished by analyzing a recorded 

value", and encrypting the outgoing hash value under the MA_TYPE and MP_JD against a listing of one or more 

private key of the manipulation agent. The outgoing hash 25 acceptable MA„TYPEs and MP_IDs found in an external 

value may be used to provide sufficient information for database, internal storage of the electronic system or perhaps 

verification of the post-processed data produced by the a printed publication (Block 910). Alternatively, such veri- 

manipulation agent. The optional certificate or certificate fication may be accomplished by providing a digital certifi- 

chain 750 7 may support the process used in authenticating cate from a trusted evaluation authority which evaluated 

the extended digital signature 750 6 30 whether the MA_TYPE and MP_JD combination(s) asso- 

Referring back to FIG. 8C, after the new entry (e.g., entry ciated with a manipulation agent is (are) acceptable. 

745„) is created, it is appended to record 740, generally Another operational step is to verify that each entry has 

without modifying any of the previous entries 745 1 -745„_ 1 . not been compromised (Block 915). This is accomplished by 

This process continues for subsequent post-processing 35 decrypting the extended digital signatures for each entry 

operations performed by different electronic systems in 745 1 -745„ in order to recover a corresponding hash value 

which the byte size of the record 740 is augmented. Local associated with each extended digital signature. Each recov- 

verification of data sets at each electronic system is not ered hash value is successively compared with the outgoing 

required, but may be used to alleviate potential bandwidth hash value contained in that entry. For example, for entry 

issues. 4Q 745„, extended digital signature 750 6 is decrypted to recover 

Referring to FIG. 9, operations performed to support a hash value which is compared to outgoing hash 750 5 . If a 

post-processing of information without sacrificing its integ- successful match is determined, the process would continue 

rity is shown. For example, an incoming data set is captured for each entry of the record. This recovery and comparison 

or created (Block SOS), The creation or capture of the process is continued for each remaining entry 745^745^ 

incoming data set may involve a number of sub -steps. For 45 m a chronological order, in a reverse chronological order or 

example, one sub-step is that the data of the incoming data in another ordering scheme. Otherwise, if the recovery and 

set needs to be either captured (if sensory data is contained comparison process uncovers a discrepancy between a 

in the data set), or created (if non-sensory data such as a recovered hash value and its corresponding hash value, data 

presentation slide is contained in the data set). Next, this data is considered to be compromised (Block 920). 

is processed in accordance with a selected hash function to 50 Finally, it is necessary to verify that the data stream has 

create a first hash value. The first hash value is digitally not been compromised (Block 925). One embodiment used 

signed to create a first digital signature which is placed in the to perform such verification includes hashing the data of the 

record of the data set. record to produce a new hash value which is compared with 

In this example, suppose the receiving electronic system outgoing hash value 750 5 of the most recent entry 745 n as 

is authorized to make format changes to the digital docu- 55 shown in FIGS. 10 and 11. If these values compare, the 

ment (e.g., font style, background color, etc.); however, its incoming hash value 750 i of entry 745„ (n^4 in this 

user is not authorized to make substantive changes to the embodiment) is compared with the outgoing hash value 750 s 

data of the incoming data set. Upon receiving the incoming of a preceding entry 745„_ 1 . This continues until incoming 

data set, the receiving electronic system performs a hash and outgoing hash values of successive entries do not 

function on the data of the incoming data set to produce an 60 compare or the comparison of incoming and outgoing hash 

incoming hash value (Blocks 810-815). This hash value is values is completed without experiencing a mismatch 

used to verify data integrity at any time during or after (Block 930). It is noted that the last verification would likely 

post-processing. involve authenticating the digital signature of the provider. 

After generating the incoming hash value, the receiving It is contemplated that the second and third operational 

electronic system is able to perform one or more post- 65 steps may be performed in combination by eliminating the 

processing operations on the data of the incoming data set. outgoing hash value entry 750 5 for each record entry and 

Each post-processing operation is entered into a MOS field simply decrypting the extended digital signature for each 



04/29/2004, EAST Version: 1.4.1 



US 6,357,004 Bl 



10 



entry 7^S 1 -745 n to recover its corresponding outgoing hash 
value. In general, each recovered outgoing hash value is 
successively compared with an incoming hash value con- 
tained in a subsequent entry (with exception to the most 
current outgoing hash value). For example, for entry 745„, s 
extended digital signature 750 6 would be decrypted to 
recover a corresponding outgoing hash value which is 
compared to hash value of the data portion of the current 
data set. If a successful match is determined, the process 
would continue for a preceeding entry of the record. 10 

Next, extended digital signature of entry 745„_ a would be 
decrypted to recover its outgoing hash value. This value is 
compared with the incoming hash value 750! of entry 745„, 
If a successful match is determined, the process would 
continue for the next preceeding entry of the record. This 15 
process would continue for each remaining entry 
745 j-7 45„_ 2 unless a discrepancy between a recovered 
outgoing hash value and its immediately subsequent incom- 
ing hash value is uncovered. In that case, data is considered 
to be compromised (Step 920). It is contemplated that this 2 o 
process may be performed in other ordering schemes besides 
the scheme presented above. 

It is contemplated that because the manipulation agent is 
a trusted hardware platform, the authenticity of each post- 
processing operation (through its hash value and signature) 15 
is ensured. This ensures that the record is correct. Note that 
this scheme does not require the manipulation agents to 
authenticate any of the previous operations performed on the 
data set. If the data set is corrupted at any point, the 
associated record becomes invalid and the entire data set is 
considered compromised. Thus, verification is only required 30 
once the data set is fully post-processed and ready for use by 
another entity. It is contemplated, however, that each 
manipulation agent may be able to check the validity of the 
preceding extended digital signature(s). As a result, if the 
signature is validated, the manipulation agent may substitute 35 
the entries for a single message that validation of the digital 
signature concerning certain post-processing operations has 
been verified. This may be done to reduce the size of the data 
set to avoid potential bandwidth problems. 

While various embodiments of the invention have been *o 
described, those skilled in the art will realize that other 
embodiments of the invention are easily foreseeable without 
departing from the spirit and scope of the present invention. 
Moreover, well known circuitry and operational steps are 
not set forth in detail in order to avoid unnecessarily 45 
obscuring the present invention. The invention should, 
therefore, be measured in terms of the following claims. 

What is claimed is: 

1. A method comprising: 

receiving a data set including a record and data, the data 50 
set being digitally signed; and 

performing at least one lossy post-processing operation on 
the data to produce a resulting data set, the resulting 
data set does not exactly match the digitally signed data 
set; and 55 

recording characteristics of each of the at least one lossy 
post-processing operation into a record of the resulting 
data set. 

2. The method of claim 1, wherein after the recording of 
the characteristics, the method further comprising: 60 

placing a first hash value of the data into the record. 

3. The method of claim 2, wherein after the recording of 
the characteristics, the method further comprising: 

placing a second hash value of the data into the record. 

4. The method of claim 3 further comprising: 65 
placing an extended digital signature into the record of the 

resulting data set. 



5. The method of claim 4 further comprising: 

placing a manipulation operation specifier corresponding 
to each lossy post-processing operation into the record, 
the manipulation operation specifier indicating the at 
least one lossy post-processing operation performed on 
the data after the digitally signed data set was digitally 
signed. 

6. The method of claim 5 further comprising: 
placing a manipulation agent type into the record of the 

resulting data set, the manipulation agent type estab- 
lishing which manipulation agent performed the at least 
one lossy post-processing operation. 

7. The method of claim 6 further comprising: 

placing a manipulation process identifier into the record 
of the resulting data set, the manipulation process 
identifier indicating a specific configuration of a 
manipulation agent used to perform the at least one 
lossy post-processing operation. 

8. The method of claim 7 further comprising: 

placing at least one digital certificate in the record, the 
digital certificate includes a public key of the manipu- 
lation agent. 

9. A method comprising: 

(a) receiving an electronically signed data set including 
data and a record; 

(b) placing a first hash value of the data into the record 
after receiving the data set; and 

(c) placing a second hash value of the data into the record 
after performing at least one lossy post-processing 
operation on the data. 

10. The method of claim 9 further comprising: 

(d) placing a manipulation process identifier into the 
record of the data set, the manipulation process iden- 
tifier to indicate a specific configuration of a manipu- 
lation agent used to perform the at least one lossy 
post-processing operation. 

11. The method of claim 9 further comprising: 

(d) placing an extended digital signature into the record of 
the data set. 

12. The method of claim 11, wherein the placing of the 
extended digital signature into the record includes: 

(dl) performing a hash operation on the data to produce 
a result after all of the at least one lossy post-processing 
operation have completed; and 

(d2) encrypting the result in accordance with a public key 
cryptographic function. 

13. The method of claim 9 further comprising: 

(d) placing a manipulation agent type into the record of 
the data set, the manipulation agent type establishing 
which manipulation agent performed the at least one 
lossy post -processing operation. 

14. The method of claim 9, wherein before placing the 
second hash value of the data into the record, the method 
further comprising: 

(bl) placing a manipulation operation specifier corre- 
sponding to the at least one lossy post-processing 
operation into the record of the data set, the manipu- 
lation operational specifier indicating the at least one 
lossy post -processing operation. 

15. The method of claim 9 further comprising: 

(d) placing at least one digital certificate into the record of 
the data set, the digital certificate includes a public key. 

16. A system comprising: 
a bus; and 

a first manipulation agent connected to the bus, the first 
manipulation agent including 
an internal bus, 

a memory element connected to the internal bus, and 
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a processor coupled to the internal bus, the processor to 
receive an electronically signed data set, to perform 
at least one lossy post-processing operation on data 
of the data set and to generate an extended digital 
signature for storage into a record of the data set. 5 

17. The system of claim 16 further comprising: 

a second manipulation agent in communication with the 
first manipulation agent, the second manipulation agent 
capable of performing at least one lossy post- 
processing operation on the data after the at least one 10 
lossy post-processing operation and generating an 
extended digital signature for storage into the record of 
the data set. 

18. The system of claim 16, wherein the bus is one of a 
Peripheral Component Interconnect (PCI) bus, a host bus 15 
and an Advanced Graphics Port (AGP) bus. 

19. The system of claim 16, wherein the bus is a dedicated 
bus solely for use by the first manipulation agent. 

20. The system of claim 16 further comprising: 

a host processor connected to the first manipulation agent 2 q 
via the bus. 

21. The system of claim 20, wherein the bus includes a 
backside bus. 

22. A system comprising: 

a processor substrate; 25 
a bus integrated in the processor substrate; 
a host processor coupled to the bus; and 
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a manipulation agent placed on the processor substrate 
and connected to the bus, the manipulation agent 
including 
an internal bus, 

a memory element coupled to the internal bus, and 
a processor coupled to the internal bus, the processor to 
receive an electronically signed data set, to perform 
at least one lossy post-processing operation on data 
of the data set and to generate an extended digital 
signature for storage into a record of the data set; and 
a cartridge substantially enclosing the processor substrate. 

23. A system protecting integrity of a data set including 
data and a record, the system comprising: 

a bus; and a host processor connected to the bus, the host 
processor (i) to receive an electronically signed data 
set, (ii) to perform at least one lossy post-processing 
operation on data of the data set, (iii) to record char- 
acteristics of the at least one lossy post-processing 
operation on the data within a record of the data set, the 
lossy post-processing operation being associated with 
an operation on the data of the data set, and (iv) to place 
an extended digital signature into the record. 

24. The system according to claim 23, wherein the at least 
one lossy post-processing operation includes at least one 
cropping, feature enhancement, recolorization, 
compression, decompression, resolution reduction, interpo- 
lative resolution enhancement and rotation. 

***** 
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